Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. kien.buit_2449
    K
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    kien.buit_2449

    @kien.buit_2449

    0
    Reputation
    1
    Posts
    1
    Profile views
    0
    Followers
    0
    Following
    Joined Last Online
    kien.buit_2449 Follow

    Best posts made by kien.buit_2449

    This user hasn't posted anything yet.

    Latest posts made by kien.buit_2449

    • Alpine/APK-based container images show no vulnerabilities despite CVEs existing in PGVD

      We are evaluating ProGet for container image vulnerability scanning and comparing results with Trivy. We have identified an inconsistency in vulnerability detection specifically for Alpine Linux-based container images.

      Problem: ProGet does not surface OS-level vulnerabilities for Alpine (APK) based container images, while Ubuntu/Debian (dpkg) based images are scanned correctly and vulnerabilities are detected as expected.

      Example: Image: hysnsec/nginx-advanced (Alpine 3.10.2)

      Trivy detects multiple CVEs including CVE-2021-36159 (CRITICAL) in apk-tools 2.10.4-r2, CVE-2021-30139 (HIGH) in apk-tools, CVE-2021-28831 in busybox 1.30.1-r2, and CVE-2020-1967 in libcrypto1.1.
      ProGet correctly extracts and displays the APK package inventory (package names, versions, and architecture are all visible in the Packages tab).
      However, ProGet reports "None" for vulnerabilities on all Alpine packages.
      Verified in PGVD: We confirmed that the relevant CVEs exist in the Inedo vulnerability database:

      PGV-2156903 (CVE-2021-36159)
      PGV-2156988 (CVE-2021-36159)
      Despite the CVEs being present in PGVD, they are not matched against the detected APK packages.

      What we have checked:

      Vulnerability Database Updater job runs successfully and on schedule
      Layer Scanning is enabled on the Docker feed
      Package inventory is detected correctly (APK packages with versions are visible)
      Ubuntu/Debian-based images DO return vulnerabilities correctly — confirming that container scanning, license, and PGVD are working
      The issue is consistent across multiple Alpine-based images and multiple scans
      The Compliance Analyzer scheduled job shows an error status (red icon)
      Our assessment: It appears that PGVD has the CVE entries but lacks the affected-package mappings for Alpine APK packages. The CVE-to-package correlation works for dpkg (Debian/Ubuntu) but not for APK (Alpine). We suspect the Alpine Security Database (security.alpinelinux.org) may not be integrated as a data source for PGVD's package-level mappings.

      Environment:

      ProGet 2025.26 (Build 11), Trial Edition
      Running on Docker (Linux VM)
      Nginx reverse proxy in front of ProGet
      PostgreSQL built-in database
      Request: Could you confirm whether Alpine/APK vulnerability matching is currently supported in PGVD? If not, is there a timeline for adding Alpine Security Database as a data source? Are there any workarounds we can use in the meantime?
      Image (3).png image (2).png image (1).png

      posted in Support
      K
      kien.buit_2449